How can PHP developers prevent SQL injection attacks when working with MySQL databases?

SQL injection attacks can be prevented by using prepared statements with parameterized queries in PHP when interacting with MySQL databases. This approach ensures that user input is properly sanitized and treated as data rather than executable SQL code, reducing the risk of malicious SQL injection attacks.

// Establish a connection to the MySQL database
$mysqli = new mysqli(&quot;localhost&quot;, &quot;username&quot;, &quot;password&quot;, &quot;database&quot;);

// Prepare a SQL statement with a parameterized query
$stmt = $mysqli-&gt;prepare(&quot;SELECT * FROM users WHERE username = ?&quot;);
$stmt-&gt;bind_param(&quot;s&quot;, $username);

// Set the parameter value and execute the query
$username = $_POST[&#039;username&#039;];
$stmt-&gt;execute();

// Process the results
$result = $stmt-&gt;get_result();
while ($row = $result-&gt;fetch_assoc()) {
    // Do something with the data
}

// Close the statement and database connection
$stmt-&gt;close();
$mysqli-&gt;close();

Keywords

PHP MySQL SQL injection prepared statements parameterized queries

How can PHP developers prevent SQL injection attacks when working with MySQL databases?

Keywords

Related Questions